Jason Day

May 152017
 
  1. If you havent already got it, download and install NMAP from https://nmap.org/
  2. Download the script from https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
  3. Save it to Nmap NSE script directory
    1. Windows location is C:\Program Files (x86)\Nmap\scripts
    2. Linux – /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
    3. OSX – /opt/local/share/nmap/scripts/
  4. Test the script on a known vulnerable device such as 202.157.185.31 or 64.17.101.90
    1. nmap -sC -p 445 -max-hostgroup 3 -open -script smb-vuln-ms17-010.nse 64.17.101.90
  5. Run against your enviroment

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 10:30 South Africa Standard Time
Nmap scan report for ns.bvtsvc.com (64.17.101.90)
Host is up (0.22s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds

 

Dec 292016
 

When creating a new folder in explorer, it takes forever to complete and the window appears to hang. Follow these steps to resolve.

 

 

 

 

 

 

 

The quick fix for me was to click on the View tab, under the Options drop down, select “Change folder and search options

 

 

 

 

 

 

 

 

Click the Clear

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EXTRA:

Additionally, I’d rcommend running the following two commands one after the over in Command Prompt (Admin) [Windows key + X and select]

DISM.exe /Online /Cleanup-image /Restorehealth

sfc /scannow

 

Jun 242015
 
EVENT # 408355
EVENT LOG Application
EVENT TYPE Error
SOURCE MSExchangeSA
CATEGORY General
EVENT ID 9385
DATE / TIME 2015/06/23 04:38:02 PM
COMPUTERNAME JuniperEX2010
MESSAGE Microsoft Exchange System Attendant failed to read the membership of the universal security group ‘/dc=/dc=/dc=/ou=Microsoft Exchange Security Groups/cn=Exchange Servers’; the error code was ‘8007203a’. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group.If this computer is not a member of the group ‘/dc=/dc=/dc=/ou=Microsoft Exchange Security Groups/cn=Exchange Servers’, you should manually stop all Microsoft Exchange services, run the task ‘add-ExchangeServerGroupMember,’ and then restart all Microsoft Exchange services.

 

Solution:

On the server generating the Error, restart the Microsoft Exchange System Attendant service

Aug 282014
 

from: PowerShell.com

All PowerShell Versions

To test whether a particular service is still responding, use a clever trick. First, ask WMI for the service you want to check. WMI will happily return the process ID of the underlying process.

Next, look up this process, and the process object will tell you whether the process is frozen or responding:

functionTest-ServiceResponding($ServiceName)
{
  $service=Get-WmiObject-ClassWin32_Service-Filter"Name='$ServiceName'"$processID=$service.processID$process=Get-Process-Id$processID$process.Responding
}

This example would check whether the Spooler service is still responding:

 
PS> Test-ServiceResponding -ServiceName Spooler
True

Note that the example code assumes that the service is running. If you wanted to, you could add a check to exclude non-running services yourself.

Apr 172014
 

This script is to simply get all “client” computer names from Active Directory, then get WMI properties to ascertain whether a desk or laptop etc.

$Computers = Get-ADComputer -Filter {OperatingSystem -notlike “*Server*”} -Properties *
Foreach ($computer in $computers){
IF ($Computer.Description -eq $nul){
$testcomputer = $computer.name
IF (test-path \\$testcomputer\c$){
$Description = Get-ADComputer $computer -Properties *
$value = Get-WmiObject win32_systemenclosure -Computer $Computer.Name -ErrorAction SilentlyContinue
$ChassisType = $value.ChassisTypes
$update = Switch ($ChassisType)
{
“1” {“Other”}
“2” {“Virtual Machine”}
“3” {“Desktop”}
“4” {“Low Profile Desktop”}
“5” {“Pizza Box”}
“6” {“Mini Tower”}
“7” {“Tower”}
“8” {“Portable”}
“9” {“Chassis typecl is: $type – Laptop”}
“10” {“Notebook”}
“11” {“Handheld”}
“12” {“Docking Station”}
“13” {“All-in-One”}
“14” {“Sub-Notebook”}
“15” {“Space Saving”}
“16” {“Lunch Box”}
“17” {“Main System Chassis”}
“18” {“Expansion Chassis”}
“19” {“Sub-Chassis”}
“20” {“Bus Expansion Chassis”}
“21” {“Peripheral Chassis”}
“22” {“Storage Chassis”}
“23” {“Rack Mount Chassis”}
“24” {“Sealed-Case PC”}
default {“Unknown”}
}
If ($update -ne “Unknown”){
$output =  $Description.Name, $update
write-host $output -BackgroundColor DarkGreen -ForegroundColor WHITE
set-adcomputer $Description.Name -Description $update
}
else
{
Write-host $computer.name WMI FAILED -BackgroundColor BLUE -ForegroundColor WHITE
}

}
else
{
Write-host $computer.name Fail path test -BackgroundColor Red -ForegroundColor WHITE
}
}
else
{
Write-host $computer.name Description in already $Computer.Description
}
}

Apr 112014
 

Heart bleed is critical OpenSSL vulnerability that needs to be patched on web hosted on the internet. i would imagine web systems on private LAN are not as at a critical risk.

Refer to the following website for latest update news:
http://www.openssl.org/

If you have the Windows NMAP ZenMap GUI installed on your system, you can easily run the following command to scan a system or systems for the vulnerability.

First download the following Nmap script files:
https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse [As my example, place inC:\Program Files (x86)\Nmap\scripts]
https://svn.nmap.org/nmap/nselib/tls.lua [As my example, place in C:\Program Files (x86)\Nmap\nselib]

The below example website, has the Heartbleed vulnerability, as at date stamp in Scan.

nmap -sV -p 443,4343,21,981,1311,4712,9443 -oX “C:\\temp\\HeartBleed.xml” –script ssl-heartbleed.nse www.chinesecol.com

An example of a system that does not have the vulnerability, best is www.openssl.org

nmap -sV -p 443,4343,21,981,1311,4712,9443 -oX “C:\\temp\\HeartBleed.xml” –script ssl-heartbleed.nse www.openssl.org

Mar 052014
 

If you are receiving the below error message when trying to do backups or access the Shadow Copies under local disk Properties try the below fix

Volume Shadow Copy Service information: The COM Server with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} and name SW_PROV cannot be started. [0x80070424]

Troubleshooting

1)   Checked and found Microsoft
Software Shadow Copy Provider Service was missing from services
console.
2)   Tried to take System State
Backup of the server, however it failed with the
error.
3)   Checked and found that the
Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSPRV entry
is missing as well.
4)   Tried to register it using
regsvr32 /i swprv.dll but got the error.
5)   Ran the command
C:\Windows\System32\svchost.exe -k swprv (this will load the dll and Recreate
the service)
6)   Found “Microsoft Software
Shadow Copy provider service” is still not
present.
7)   Ran the following  commands:
Regsvr32 C:\Windows\System32\vss_ddu.dll
Regsvr32 C:\Windows\System32\ES.DLL
Regsvr32 C:\Windows\System32\EVENTCLS.DLL
Regsvr32 C:\Windows\System32\vssui.dll
Regsvr32 C:\Windows\System32\wbem\vsswmi.dll
Regsvr32 C:\Windows\System32\Cluster\vsstask.dll
Regsvr32 C:\Windows\System32\Cluster\vsstskex.dll
Regsvr32 C:\Windows\System32\vss_ps.dll
Regsvr32 C:\Windows\System32\vssui.dll
Regsvr32 C:\Windows\System32\ole32.dll
Regsvr32 C:\Windows\System32\msxml.dll
Regsvr32 C:\Windows\System32\msxml2.dll
Regsvr32 C:\Windows\System32\msxml3.dll
Regsvr32 C:\Windows\System32\msxml4.dll
Regsvr32 C:\Program Files\Microsoft SQL Server\80\COM\sqlvdi.dll
Regsvr32 C:\Windows\System32\Vssvc.exe /Register
8)   Replaced swprv.dll from working machine.
9)   Found now we have swprv present in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swprv
10)   Ran the following commands:
regsvr32 ATL.dll
regsvr32 swprv.dll
11)   Checked and found now we also have “Microsoft Software Shadow Copy Provider Service” under services.msc console.
12 )   Took System State Backup of the server successfully.

Feb 262014
 

Windows 2008 R2 Event Message:

The Remote Desktop license server cannot update the license attributes for user “%1!s!” in the Active Directory Domain “%2!s!”. Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain “%2!s!”.
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
Win32 error code: %3!s!

I got Win32 error code: 0x80070005

Possible reason why issue exists:

It is a problem with the read / write users in the group “Terminal Server License Servers.” This group does not exist in Windows Server 2000 and appears with WS2003. If your domain was originally Windows 2000, and migrated to Windows 2003 and now has migrated to WS2008, it is possible that this is your problem.

 

Possible Solutions

1) Add the license server to the Terminal Server License Servers group and restart the Remote Desktop Licensing service

Follow the instructions on URL http://technet.microsoft.com/en-us/library/ee890942(v=ws.10).aspx

2) Update settings on particular user objects

Go into Active Directory Users and Computers

Go into Properties for a particular user; select the Security Tab and click Advanced

You’ll notice that there are no security permission details for Terminal Server License Server or the Group might not even be there

Edit or Add the rights as below
Read Terminal Server License Server
Write Terminal Server License Server

 

3) ADSIEDIT [Do at your own risk]

On a Active Directory Server open ADSIEDIT, goto properties of which ever OU, then Security, Advanced Button, add “Terminal Server License Server”, goto Properties tab, apply to: choose “Descndant User Objects”

set the following rights
Read Terminal Server license server “Allow”
Write Terminal Server license server “Allow”

Nov 162013
 

Based in Kenilworth Cape Town, I had the Telkom Faster ADSL line at 2Mbps, but was only getting roughly 512Mbps download due to the saturation in the area.

So I decided to give the Telkom HomeOffice LTE a go. I ordered and received the package a week later on a Friday, the activation took another 5 days before the device connected to the internet.

In the packaging there is some information about support, the number works but not the select options

Don’t bother phoning the number before you are activated, as they wont have your details on the system.

I found out you can dial 081183 for Technical support.

 

I have the device on the ground floor in the kitchen of my duplex and the signal strength does not seem great at 1 bar. I will be trying to move the device around in different areas to see if strength increases. Seeing it only needs power, should be easy enough.

As you can see the download speed is much faster than traditional fixed ADSL line, but the upload is not great.

Off the bat, I am slightly disappointed as its not even close to the possible 90Mbps, but I’ll play around with the system and see if we can improve performance.

 Update 17 November 2013

Internet was strangely getting slow, so searched around for a better signal, found 3 bar in a spare bedroom.

Did another speed test from my Samsung Note 3 in the same room and downstairs computer, speed is actually slower today!

 

Update 19 November 2013

Returning the device, speed is not that great in our area and we have somehow reached our 10Gb limit in 7 days?!

 Update 1 January 2014

This morning got a SMS that I’ve been billed R798.00 with reference TELKOMMOBI5007#####, phoned the support and advised that the product was still active and had not been cancelled as requested. So off this morning to Cavendish to the Telkom Data shop with proof of cancellation to make sure i get a refund and the product is cancelled!

Jul 022013
 

Had a issue where some updates where not downloading to WSUS and receiving the following application event error below:

Event ID: 364
Source: Windows Server Update Services

Content file download failed. Reason: The operation being requested was not performed because the user has not logged on to the network. The specified service does not exist. (Exception from HRESULT: 0x800704DD) Source File: /msdownload/update/software/secu/2012/04/windows6.1-kb2690533-x86_9aceb828aa625f63a9eafd56e990b722976e7e23.cab Destination File: c:\Program Files\Update Services\LogFiles\WSusTemp\9ACEB828AA625F63A9EAFD56E990B722976E7E23.cab.

 

To fix this all I had to change was the Log on As to Network Service for Update Services and then restart the service.

FIXED !